Why 'files.py' does not print the filenames into a table format?
Ferrous Cranus
support at superhost.gr
Sun Jun 16 09:57:56 EDT 2013
On 16/6/2013 4:07 πμ, Nick the Gr33k wrote:
> On 16/6/2013 1:51 πμ, Chris Angelico wrote:
>> On Sun, Jun 16, 2013 at 6:29 AM, Benjamin Schollnick
>> <benjamin at schollnick.net> wrote:
>>> cur.execute('''SELECT ID FROM counters WHERE url = %s''', page )
>>> cur.execute('''INSERT INTO counters (url) VALUES (%s)''', page )
>>>
>>> Sure, whoever wrote that code is a fool.
>>>
>>> http://xkcd.com/327/
>>>
>>> They didn't sanitize your database inputs.
>>
>> I assume you're talking about the above two lines of code? They're not
>> SQL injection targets.
>
> Then how those page entries found in the database Chris?
>
>> The clue is that the %s isn't in quotes.
>
> What happens if i write it like this?
>
> cur.execute('''SELECT ID FROM counters WHERE url = "%s"''', page )
>
> How quoting of %s helps here?
>
>> This is an out-of-band argument passing method (actually, since he's
>> using
>> MySQL (IIRC), it's probably just going to escape it and pass it on
>> through, but it comes to the same thing), so it's safe.
>
> Yes iam using a comma and not a substitute operator, so input is mysql
> validates.
>
> Please explain what is an "out-of-band argument passing method"
>
> What your idea of those entries made it to the counters database table?
>
>
Chris? Care to explain please?
--
What is now proved was at first only imagined!
More information about the Python-list
mailing list